4

Im using System.Security.Cryptography.ProtectedData to Protect the license data before writing it to the registry.

ProtectData.Protect(Byte[], Byte[], DataProtectionScope.LocalMachine)

The Dataprotection scope is LocalMachine.

What are the parameters which are used by ProtectData to encrypt the string? If i copy the encrypted string to another machine,will it work?

Some users are reporting licensing problems,is ProtectedData consistent?

JasonMArcher
  • 14,195
  • 22
  • 56
  • 52
techno
  • 6,100
  • 16
  • 86
  • 192
  • Its a wrapper for the DPAPI's CryptProtectData function, lots of documentation; https://msdn.microsoft.com/en-us/library/windows/desktop/aa380261%28v=vs.85%29.aspx – Alex K. Jun 07 '15 at 14:30
  • @AlexK. i took a look.If i i usethe local machine scope will the key change if the user changes his password or changes the hardware or something? – techno Jun 07 '15 at 15:05

2 Answers2

4

Within LocalMachine scope, the protected data is associated with the machine context. Any process running on the computer can unprotect data. This enumeration value is usually used in server-specific applications that run on a server where untrusted users are not allowed access.

Caution The LocalMachine enumeration value allows multiple accounts to unprotect data. Use this value only when you trust every account on a computer. For most situations, you should use the CurrentUser value.

The encrypted data can only be decrypted on the same machine on which is encrypted.

DPAPI uses a MasterKey (512 bits of random data) to generate a session key for encryption and decryption. This means it will remain intact until reinstalling of OS.

https://msdn.microsoft.com/en-us/library/ms995355.aspx

Kambiz Shahim
  • 2,560
  • 14
  • 21
  • 1
    Thanks.But im looking for more details.Like does this method take into account the machines hardware parameters while encrypting ? If the hardware changes,will it work? – techno Jun 07 '15 at 14:36
  • @techno The master key and session keys are random generated keys which means they don't depend on hardware. Please check out updated answer. – Kambiz Shahim Jun 07 '15 at 15:00
  • okay.So if i use a local Machine scope the data will be correctly decrypted unless the OS is re-installed,if the user change the password ,will that be an issue? – techno Jun 07 '15 at 15:04
  • @techno, That won't be an issue because it's not depend on the specific user, any user on the machine can decrypt the local machine scope encrypted data. – Kambiz Shahim Jun 07 '15 at 15:08
  • That wont be a problem,The product is licensed per pc not user – techno Jun 07 '15 at 15:27
  • @techno, For licensing I suggest not to use ProtectData for enc/decryption instead it is better using a assymtric algorithm to protect data to prevent users to access your licensing data. You can keep the private key for yourself and only embed the public key for decryption. – Kambiz Shahim Jun 07 '15 at 15:36
  • How can it be tied to the system? – techno Jun 07 '15 at 15:38
0

Reflector shows that ProtectData.Protect is basically a wrapper for crypt32.dll's CryptProtectData() function.

From MSDN: (https://msdn.microsoft.com/en-us/library/windows/desktop/aa380261%28v=vs.85%29.aspx)

The CryptProtectData function performs encryption on the data in a DATA_BLOB structure. Typically, only a user with the same logon credential as the user who encrypted the data can decrypt the data. In addition, the encryption and decryption usually must be done on the same computer.

Denis Yarkovoy
  • 1,277
  • 8
  • 16
  • LocalMachine scope associates the data encrypted with the current computer instead of with an individual user. Any user on the computer on which CryptProtectData is called can use CryptUnprotectData to decrypt the data. – Kambiz Shahim Jun 07 '15 at 15:03